If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Security Assessment Team

I haven't posted for awhile so I'm hoping this is the right forum for this question....

I'll give you a run down on the situation first and then hopefully some of the guru's out there will be able to fill in the blanks...

Firstly, I'm working for a government organisation that has certain security requirements when it comes to our network and server base (Server 2003 and Linux (various flavours).
Joy of joys, we have come up for an audit later this month and it is apparently fairly intrusive and wide reaching.

They have given over 3 hours for one of our networks which is primarily a Windows 2003 servers environment using Cicso switches/routers that is NOT connected to the Internet. Physically seperate entirely.

The opinion and thoughts I'm looking for is what tools do you think they'll be running to scan out network? We are already using the SE core for Linux, and have tried (as much as possible) to lock down the windows servers.
Today I'm looking at running Bastille Linux to help on the Linux boxes and Nessus followed by ethereal to see what is open and floating around the network but I'm a little worried that I'm missing something?

Lastly, is it worth installing the encrypted IOS on the switches aswell?

Firstly, I'm working for a government organisation that has certain security requirements

Yeah, I know what you are on about. I will leave the technical stuff to the Gurus and just suggest a bit of practical "audit defence".............. if you know what I mean?

Those buggers are as cunning as a cage of monkeys, trust me on that one mate! Please, please don't overlook the obvious............

1. Wear badges at all times........... if they don't (as is more than probable) then a properly conducted "armed intruder" or whatever you blokes call it, response goes down well.

2. Watch for physical security........... is the door locked? has the removable drive been put in the butterfly cabinet?

3. Has all authentication been carried out to the book? has everything been double checked? and signed for ...............

4. Make sure that they are escorted at all times, preferably by armed personnel.

5. Watch out for the "dolly bird", that is a favourite of theirs.............

Those guys carve notches in their briefcases for blokes they shoot down............. make sure you are not one of those notches mate.

You see, the guys they report to at the top know damn all about IT security........... they will probably try to trick you and catch you on simple physical security......... it is how they justify their existence?

They have given over 3 hours for one of our networks which is primarily a Windows 2003 servers environment using Cicso switches/routers that is NOT connected to the Internet. Physically seperate entirely.

That is what we would describe as our "secure network".................... not surprisingly, the weakest link is probably going to be the desktops and users?

It would probably be a good idea to get your user community involved by having a "security fortnight" and reminding them of whatever rules you have regarding external devices, cameras, cell phones, iPods, PDTs, USB drives and the like

Also check that they cannot attach external devices to PCs connected to the secure network, and that your system detects the connection of unauthorised devices to it.

Please do not overlook the humble null modem cable

I would also suggest that you do your own audit check on the desktops to make sure that they cannot be booted from CD/Floppy/USB............... it would only take one to have slipped through the net?

Also, make sure that all the cases are locked....................

Another thing that can be overlooked is security of any print servers that may be attached to the network. Particularly as these may have had another function previously, and may contain software from that time that now poses a security risk.

You may have armed guards in the front lobby, require photo and electronic ID before being allowed entry into the building, but if the ****-house window is left open to the rear parking someone can easily gain entry to the building. ( don't know how it applies, but that is what came to mind when I read this thread. )

Nothing for nothing, and I don't know who it is that will be auditing you and who you work for, but I think nihil is on point yet again ... the obvious will bite you. ( guessing here by statements given this will be more of a security then compliant audit ?? )

Even people who know better often times become complacent. Besides what has already been stated, Passwords:

Do people have sticky notes with their passwords on their monitors?
( Do you have password policies and are they followed? )

Do your passwords expire after time? Are they checked before being allowed to be used ( length, easily guessed, etc.? )

Do people give up their passwords to other employees ( or others ) for any reason?

Are your employees routinely reminded about social engineering?

Do your admins have one generic password?

Accounts:

Are unused accounts deleted or disabled?

How and how often are these accounts verified ( policies in place ) and who is responsible for doing so?

Are tasks assigned to admins properly segregated between the admin accounts?

Are users provided with only the access they need?

Services:

Are unneeded services removed from systems?
You may be very conscious of doing this on your servers, but this equally applies to workstations.
These are avenues for insiders to take advantage of.

Also, make sure all necessary patches have been applied, not only to the servers and workstations, but to the routers, etc. There should be no machines or equipment unless absolutely necessary that run systems that have reached their “end of life” and are no longer being supported ( Windows NT, Red Hat 5.x as examples. ) Be prepared to explain and justify in detail why it is absolutely necessary to run those systems.

Make sure that if you have systems that are required to be segregated or isolated from other systems that they are!

Review your policies
Trying to straighten out problems a month before an audit is futile at best. Hopefully everything mentioned so far is done routinely, so you don't have to worry about it. And hopefully you have proper policies in place that cover all the necessary areas both for general acceptance and for your particular needs. But nothing is more embarrassing then to have made known that you do not comply with your own policies. It is one thing to be able to show ignorance of generally accepted standards, as they change so rapidly ( your ignorance may show you are not qualified for the job, ) but is another entirely if they show you have not complied with your own policies, or have not made proper policies. This may not be just ignorance or incompetence, but in a government situation may be misfeasance.

Remember, if an audit finds major security problems they may not even get to compliance issues, or even delve into further security issues.

As far as your specific question, they will undoubtedly use a combination of open source and commercial tools. If your policies and their compliance of which are adequate, the tools they use should not make a difference.

I hope this helped, and I hope this encouraged you rather then worried you.

" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

I've been through a couple of these tests as well. Seen them use every trick imaginable.
To say the least... they are amazing and almost always find ways in.

They probed every aspect of Security pertaining to a military Command Center: Physical Security, Network Security, Telephone systems, and most specifically, how/if end users followed security policies. The various teams conducting the test took days. Found out they even had several people in plain clothes hang out at local resteraunts during lunch hour to see who came in and if they still had their ID/Security badges on in public. They would also eavesdrop on their conversations to see if people were talking about work related (and/or sensitive) issues outside of the facility. All of this ties into Information Assurance training programs.

Also a consideration, limit their availability to your network. If you can, enable some sort of Port Security. A lot of times they will walk around, or if assigned to a specific area, will look for a way to jack into the network and run scans. If the port doesn't work, or is locked down in some fashion, you will have earned bonus points on your review.

You mentioned you have networks that don't have access to the net. In case you are referring to a Niper and Sipernet-like configuration (where you have an unclassified network which has access to the net and a Secret or above network which doesn't) you will most likely have users that have individual accounts on each of those networks. Of course the Information Assurance trainings tell you not to use the same passwords on various networks, but you still get people that do out of laziness..... or in some cases, the upper brass don't always feel those rules apply to them. Regardless, compare passwords from the various networks to see if users have used the same password. If your pen testing team cracks the SAM on an unclass system, I guaranty they will throw those same usernames and passwords against the classified systems. It worked on one case. At that time, one of our own admins (who was the least likely to do this) has the same password on his Niprnet and Siprnet accounts. The pen testing team was able to comprimise a machine on the Niprnet and eventually get access to the SAM on one of the DC's.
Sure enough, they took the username/passwords and ran a dictionary attack on a SIPRNET machine and got in..... WITH AN ADMIN account.... DOOOH!

The username/password combo on two separate networks is something that I hadn't thought of, so something to bear in mind as I'm doing my own testing.

Thankfully there is NO access to any USB ports anywhere on the network (not even USB mice) so that is a small bonus when it comes to watching camera's, usb sticks, ipods etc. Likewise the BIOS's are locked down, but I alwas see that as a week link... out with the battery and hey presto, they're in

OK, that is why I mentioned the case lock (physical) and the case opened warning.

Look at lappies.............. some have a boot password, and a login password, and then a hard drive password. The HDD is encrypted as well. I still like the removable HDD solution, and it is not expensive to implement! You can do what you like with the BIOS, but without a HDD?

So, what is it with the lappy? well, they have a separate EEPROM chip on the MoBo that handles the physical access. I seem to recall that they are 24C chips? You can leave the battery out for eternity, and it will still not let you in, because it is non-volatile memory.

Yes, of course I know how to get round it, but that should be beyond your average auditor?

The HDD password is a real pig..................it lives in a hidden sector of the HDD, and we are looking at serious Intelligence Services budgets, staff and equipment for this one. I will presume that is what you have to assume in your scenario?

Please have your "proposed security improvements" paper submitted to your GOC about a week before the audit...............it sort of takes the wind out of their sails